Cyber Security | Web Development

 This is demo exploit for MongoDB filter option. Filter Accessories : Business Logic: if(this.category == ""Accessories") { / ...do something } Exploitation: if(this.category == 'Accessories' && this.limit == 3)  // Original if( this.category == 'Accessories ' || '1' == '1 ' && this.limit == 3 )  // Payload Injected { / ...do something } Capture the request in the burp suite. Try with combination of symbolic to make error the request. "   '   $   {   }  `   ; Try with combination of Boolean expression  ' && 1 == 1 ' && '1' == '1 ' || 1 == 1 ' || '1' == '1 ' || 1 || ' || 1 || ' ' || '1' == '1 Note: Make sure apply with encode is CTRL + U.   

Tool Name: Havij (Educational Purpose Only) Description: Havij is an automated SQL injection tool designed for penetration testers to identify and exploit SQL injection vulnerabilities in web applications. It streamlines the testing process, allowing security professionals to efficiently assess the security of a website's database interactions. Download URL:  https://www.darknet.org.uk/2010/09/havij-advanced-automated-sql-injection-tool/ Step 1:  Enter the application target link in the Havij tool and click analyze . Step 2: Get the application details from the Info Section. Step 3: Get the application database's from the  Tables  section. Step 4: Get the application database records with columns details. Successfully logged in the application as shown in the below screenshots.

  How to Set Up OpenDNS on a WiFi Router Step 1: Create a account using below link: Web Link :  https://signup.opendns.com/homefree/ Step 2: Configure your IP address into the OpenDNS account as following below steps > Click Add this network > Provide network name > Save it. Step 3: Choose your filtering level as per your  choices. Step 4: We are successfully implemented and prevent access to inappropriate websites, block phishing sites, and prevent virus and malware infections. 😀  

Install docker in kali Step 1: $ sudo apt-get update Step 2:$ sudo apt-get install docker-ce docker-ce-cli containerd.io Step 3:$ sudo apt-get install docker-ce docker-ce-cli containerd.io Check whether install correctly or not Step 4:$ sudo docker run hello-world Step 5: Swith to Root user in kali $ sudo su Step 6: Get github file https://github.com/rahulunair/vulnerable-api#readme $ docker run -tid -p 8081:8081 --name api mkam/vulnerable-api-demo Step 7:   You can now test your api $  curl localhost:8081 -v To list images $ docker image ls To pull back image                $ docker pull mkam/vulnerable-api-demo Run in port $ curl localhost:8081 -v Run the app $ docker run -tid -p 8081:8081 --name api mkam/vulnerable-api-demo

 Attacking Token via Sequencer Step 1: Log in to the application and retrieve the token value from the response header Step 2: Before click the start live capture > Make sure configure the settings as show in the below images. Step 3: Make sure highlight the token value. Step 4: Click "Analyze Now" to determine the strength of the token value. Step 5: Use decoding techniques for the token.

 API Enumeration - Fuzzing The following of endpoints which can be test for Fuzzing Paths: Example's of Endpoints: v2, resources, books, published, or 1993 Command - 1: wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt --sc 200 'http://www.example.com/api/v1/books?show= FUZZ ' Command - 2: gobuster dir -w /usr/share/wordlists/dirb/common.txt - u http://<IP> API's Enumeration via Source code discovery Finding the endpoints from the Source Code via Browser Note: JsCode Formatter: https://beautifier.io/ Thank You :) See you in Next Topic...